Introduction

Remember how satisfying it is to hear the sound of bills being counted by an ATM? It’s even better to take that cash out. These sensations are what many criminals chase when they carry out targeted attacks on ATMs. Recently, researchers have been recording more large-scale ATM attacks, and criminals continue to refine their methods in pursuit of cash. That’s why it’s important to stay informed about the main types of ATM attack schemes.

The problem of ATM hacking has become so widespread that the U.S. Secret Service sent out warnings to financial institutions this year. Years ago, Barnaby Jack amazed Black Hat conference attendees by demonstrating an attack that made an ATM literally spit out money. This method became known as jackpotting, and until recently, experts considered it only a hypothetical way to hack ATMs.

Now, with the emergence of malware like Ploutus.D, jackpotting can be confidently added to the growing list of ATM attack types. In addition to jackpotting, skimming, shimming, and network attacks on ATMs are also well-known. Let’s take a look at the most popular ATM attack schemes and ways to protect against them.

Jackpotting

This type of attack involves criminals using external electronic devices or malicious software to gain control over the ATM’s hardware. These are also known as “cash-out attacks.”

In some cases, criminals replaced the entire hard drive of the ATM and ran malware that made the ATM “spit out” cash. In other incidents, attackers connected a USB cable linking the ATM’s computer to a device they owned, which forced the ATM to dispense all available funds in a similar way.

By using the USB port, scammers could also connect the ATM to a USB drive containing malware. This would infect the ATM, which would then dispense cash to the criminals.

One such attack was recorded back in 2015 in Germany, where criminals connected the ATM’s computer to their own device, allowing them to withdraw money without authorization.

A cybercriminal from Novosibirsk also made headlines by stealing 360,000 rubles from an ATM using a flash drive loaded with malware.

This malicious technology is known as BlackBox. As of April this year, experts have noted a sharp increase in demand for BlackBox among criminals. BlackBox works by connecting an external device to the dispenser, either through a drilled hole in the ATM or by using engineer keys to open the ATM’s service area where the computer is located.

The best way to minimize the risk of jackpotting attacks is end-to-end encryption, especially between the ATM’s computer and the dispenser. Reliable network security controls should also be used to reduce the attack surface.

The most notorious cybercriminal group using jackpotting is Cobalt, which attacked banks worldwide and stole over 1 billion euros. The leader of Cobalt, active since 2013, was eventually caught by law enforcement in Spain.

Skimming

Skimming (from the English “skim” – to glide or barely touch) is a type of fraud involving payment cards. Criminals install hidden devices in ATMs, most often those located outdoors, to read card information during transactions.

With the stolen card data, criminals create duplicates with the PIN code recorded on the magnetic stripe, allowing them to use the card for fraudulent purchases in stores and online.

Unfortunately, it’s very difficult for victims of skimming to prove fraud to their bank. The best and most reliable way to protect yourself is to use chip-enabled payment cards and strictly follow all card safety precautions.

Skimming attacks require a skimmer—a card-reading device that can be easily inserted into the card slot of any ATM. When a user inserts their card, it passes through the skimmer, which scans and saves the information, then transmits it to the criminal.

Attackers also need the victim’s PIN, which they can obtain using hidden cameras or by placing an overlay on the keypad. Skimming remains the most common ATM attack method because the vulnerability lies in the magnetic stripe on the cards themselves.

As long as cards have magnetic stripes and must pass through a reader, criminals will have an attack surface. Skimming can be countered by installing comprehensive anti-skimming solutions and monitoring systems.

For example, ATM manufacturers use technologies that interfere with skimmers, preventing them from collecting card data. These solutions can also instantly alert ATM operators, who can then immediately shut down the ATM if an attack is detected.

Notable skimming incidents include three residents of Dagestan who committed a series of ATM thefts. In the U.S., an unemployed man was convicted for compromising 13,000 bank cards using a similar scheme. A federal court in San Diego sentenced him to seven years and three months in prison for organizing a large-scale skimming operation.

Shimming

A so-called shimmer is installed inside the card reader, and criminals can do this in just a few minutes, often pretending to make a legitimate withdrawal. Shimmers are made from thin, flexible circuit boards and a microprocessor.

Once installed, the microprocessor on the shimmer acts as a “chip-in-the-middle,” relaying commands between the ATM and the victim’s card while recording all the information the attacker needs. Later, the criminal retrieves this data to create a counterfeit card.

Shimmers are harder to detect than skimmers because they are fully integrated into the card reader, making them almost invisible.

Although shimming is quite popular, it only works if the targeted bank has poorly organized transactions. The criminal cannot use a cloned card if a CVV code is required for the transaction. However, if the code is not required (for example, for some online transactions), the criminal can steal money.

Network Attacks on ATMs

In these attacks, cybercriminals infect ATMs through the network. Once they gain access to the bank’s network, they can remotely install malware on the ATM. It’s important to note that many privately operated ATMs, such as those in retail stores, use unencrypted messages, putting cardholder data at risk.

On one online marketplace, a set of ATM malware called Cutlet Maker was found for sale for $5,000. Cybercriminals actively advertised Cutlet Maker, which was designed to attack various Wincor Nixdorf ATM models. The malware used the manufacturer’s API, allowing illegal actions without interacting with ATM users or their data.

These types of attacks on bank networks are similar to cyberattacks on other types of infrastructure, so the same protection methods should be used, including:

• Protecting credentials – Secure storage of credentials and limiting access to minimize the risk of unauthorized use.
• Protecting sessions – Clearly separating the administrator endpoint from the ATM infrastructure to prevent malware from spreading from the network to assets.
• Enforcing least privilege and endpoint protection – Reducing the attack surface and using whitelisting and blacklisting principles.
• Continuous monitoring – Thoroughly scanning the network based on event patterns. If an attacker gains access to data, responsible parties must immediately detect and eliminate malicious behavior.

Conclusion

ATM attacks are as old as the machines themselves, but some of the methods used by criminals are relatively new. Certain malicious schemes have forced banks to rethink how to effectively protect their ATMs. By understanding the most common attack methods, banks can better navigate protection strategies and more effectively safeguard their customers’ funds.